Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-9v3w-w2jh-4hff: HashiCorp Vault and Vault Enterprise vulnerable to user enumeration

HashiCorp’s Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.

ghsa
#vulnerability#git#ldap#auth

HashiCorp Vault and Vault Enterprise vulnerable to user enumeration

Moderate severity GitHub Reviewed Published Aug 1, 2023 to the GitHub Advisory Database • Updated Aug 1, 2023

Related news

Red Hat Security Advisory 2024-7599-03

Red Hat Security Advisory 2024-7599-03 - Red Hat OpenShift Container Platform release 4.16.16 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include code execution, denial of service, integer overflow, and out of bounds write vulnerabilities.

CVE-2023-3462: HCSEC-2023-24 - Vault's LDAP Auth Method Allows for User Enumeration

HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.

ghsa: Latest News

GHSA-49cc-xrjf-9qf7: SFTPGo allows administrators to restrict command execution from the EventManager